Share via

How to update to Windows UEFI CA 2023

CatNap 0 Reputation points
2025-10-12T10:17:29.9133333+00:00

I just try using the command Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

But, when I check with [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’ it still say false.
So I don't know how to solve this. Can someone help me?

Windows for home | Windows 11 | Security and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Roberts 2,105 Reputation points Independent Advisor
    2025-10-12T10:56:40.5533333+00:00

    Hi CatNap,

    My name is Jason and I am an independent advisor and windows user.

    To successfully update to the Windows UEFI CA 2023 certificate, you must ensure your system has received the required cumulative update (KB5036210 or later), and that your firmware supports Secure Boot DB updates. A reboot—sometimes two—is required after setting the registry key.

    Step-by-Step: Deploying the Windows UEFI CA 2023 Certificate

    1. Ensure Prerequisites Are Met

    Your system must be running Windows 10 or 11 with updates from February 13, 2024 or later

    Install KB5036210 or any newer cumulative update that includes the Secure Boot DB update logic Microsoft KB5036210

    1. Apply the Registry Key

    Run this in elevated PowerShell:

    powershell

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40
    1. Trigger the Scheduled Task

    Still in elevated PowerShell:

    powershell

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
    1. Reboot (Twice if Needed)

    Reboot your system

    If the certificate still hasn’t applied, reboot a second time

    Some systems require two boots to complete the DB update process.

    1. Verify the Certificate

    Run this PowerShell command:

    powershell

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

    If it returns True, the update succeeded.

    Troubleshooting Tips

    Still returns False?

    Confirm your system firmware supports Secure Boot DB updates

      Check for firmware updates from your OEM (e.g., Dell, Lenovo, ASUS)
  
     Ensure Secure Boot is **enabled** in BIOS
     
     **No** `Secure-Boot-Update` **task?**
     
        You may be missing the required update (KB5036210 or later)
        
           Run `Get-ScheduledTask -TaskName *Secure*` to confirm
    • Still stuck?

    Use Get-SecureBootUEFI to dump the full DB and manually inspect for the 2023 CA string

    • Check Event Viewer → Applications and Services Logs → Microsoft → Windows → Secure-Boot-Update

    Was this answer helpful?

    1 person found this answer helpful.
  2. Jim Whitaker 211 Reputation points
    2025-10-27T01:38:56.4766667+00:00

    KB5036210 isn't an update, it's an article.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.